Working with Java KeyStore
You have two apps on Google Play Store. Which one from the list below that you chose to sign your apps prior to releasing them to Google Play?
- Sign all your apps with the same certificate
- Sign each app with different certificate in the same Java KeyStore (let’s simply call it KeyStore)
- Create a new KeyStore with new certificate for each app
Let’s say you chose the second option.
And then, someone reach out to you, wanting to buy your second app. And instead of killing it, the plan is to develop it further.
That means, you would need to provide the certificate (let’s call it second certificate) to sign said app, so an updated version could be published to Google Play Store. What would you do?
You’re right, this post is about answering that
What would you do? question with regards to the KeyStore.
What would you do?
But first, what could you do? What are the alternatives?
- Send a copy of the KeyStore, along with the passphrase for the KeyStore and the second certificate. If you’re using the same passphrase for all certificates in the KeyStore, either change the passphrase for the second certificate, or change the passphrase for the rest, as well as the passphrase for the KeyStore.
- Create a copy of existing KeyStore, remove all certificates but the second, modify the passphrase for KeyStore, and send the modified KeyStore.
To me, it’s obvious the second option is the better one, as you only share what they need. So, how might we do that?
Copy the KeyStore
$ cp original-keystore.jks second-app-keystore.jks
Certificate in KeyStore can be accessed through alias.
Unless you remember the aliases for all certificates in the KeyStore, let’s first find out what aliases existed in the KeyStore. To do this, we’re going to use a tool called
keytool, which is distributed along with JDK or JRE.
$ keytool -keystore second-app-keystore.jks -list
Running that command, you will get output similar to the following.
Keystore type: JKS
Keystore provider: SUN...alias-name-1, Jan 1, 2000, PrivateKeyEntry...alias-name-2, Mar 1, 2000, PrivateKeyEntry...
To remove an alias, you can use the following.
$ keytool -keystore second-app-keystore.jks -delete -alias "alias-name-1"
Verify that the KeyStore only contains alias to second certificate by re-running the command to list the aliases provided above.
Now that you have a KeyStore that only contains the certificate you want to share, let’s wrap up everything by modifying the passphrase for the KeyStore.
$ keytool -keystore second-app-keystore.jks -storepass "$CURRENT_KEYSTORE_PASSPHRASE" -storepasswd -new "$NEW_KEYSTORE_PASSPHRASE"
By now, you should have a KeyStore, which passphrase has been modified, and only contains the certificate that’s needed by your second app buyer.
So, rephrasing the first question at the beginning of this post, what will your decision be when it comes to signing your apps prior to releasing them to Google Play?
Choose one that will render this post obsolete!
Thanks to Natalia Lionardy.